Deploy HRM Lambda #611
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (C) 2021-2023 Technology Matters | |
| # This program is free software: you can redistribute it and/or modify | |
| # it under the terms of the GNU Affero General Public License as published | |
| # by the Free Software Foundation, either version 3 of the License, or | |
| # (at your option) any later version. | |
| # | |
| # This program is distributed in the hope that it will be useful, | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| # GNU Affero General Public License for more details. | |
| # | |
| # You should have received a copy of the GNU Affero General Public License | |
| # along with this program. If not, see https://www.gnu.org/licenses/. | |
| name: 'Deploy HRM Lambda' | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: HRM environment to deploy. | |
| default: development | |
| required: true | |
| type: choice | |
| options: | |
| - development | |
| - staging | |
| - production | |
| lambda_path: | |
| description: 'Lambda path' | |
| required: true | |
| type: choice | |
| options: | |
| - hrm-domain/lambdas/files-urls | |
| - hrm-domain/lambdas/contact-retrieve-transcript | |
| - hrm-domain/lambdas/search-index-consumer | |
| - lambdas/job-complete | |
| - resources-domain/lambdas/import-consumer | |
| - resources-domain/lambdas/import-producer | |
| - resources-domain/lambdas/search-index | |
| workflow_call: | |
| secrets: | |
| AWS_ACCESS_KEY_ID: | |
| required: true | |
| AWS_SECRET_ACCESS_KEY: | |
| required: true | |
| inputs: | |
| environment: | |
| description: HRM environment to deploy. E.G = development, staging, production (must match with the AWS environment value). Default value = development | |
| type: string | |
| default: development | |
| required: true | |
| lambda_path: | |
| description: 'Lambda path' | |
| required: true | |
| type: string | |
| send-slack-message: | |
| description: 'Specifies if should send a Slack message at the end of successful run. Defaults to true' | |
| required: false | |
| default: 'true' | |
| type: string | |
| env: | |
| # if anything is set as a secret, it can't be used in outputs. So we need to set it as an env var | |
| PRIMARY_AWS_REGION: us-east-1 | |
| jobs: | |
| build_lambda: | |
| name: Build Lambda Image | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix_json: ${{ steps.generate-output.outputs.matrix_json }} | |
| docker_image: ${{ steps.generate-output.outputs.docker_image}} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.PRIMARY_AWS_REGION }} | |
| # this plugin sets the AWS account ID to a secret which is not allowed in outputs | |
| # we have to disable that so repo output will work | |
| mask-aws-account-id: 'no' | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Set Build Args | |
| run: | | |
| lambda_full_path=${{ inputs.lambda_path }} | |
| # Extracting directory and lambda name from the lambda path | |
| build_lambda_dir=$(dirname $lambda_full_path) | |
| build_lambda_name=$(basename $lambda_full_path) | |
| repo_name="${lambda_full_path//-domain\/lambdas\//-}" | |
| repo_name="${repo_name#hrm-}" | |
| repo_name="${repo_name//lambdas\//}" | |
| repo_name="${repo_name//\//-}" | |
| echo "ecr_repository=${{ inputs.environment }}/hrm-$repo_name" >> $GITHUB_ENV | |
| echo "build_lambda_name=$build_lambda_name" >> $GITHUB_ENV | |
| echo "build_lambda_dir=$build_lambda_dir" >> $GITHUB_ENV | |
| - name: Build and Push Docker Image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: ./ | |
| file: ./lambdas/Dockerfile | |
| build-args: | | |
| lambda_name=${{ env.build_lambda_name }} | |
| lambda_dir=${{ env.build_lambda_dir }} | |
| push: true | |
| tags: ${{ steps.login-ecr.outputs.registry }}/${{ env.ecr_repository }}:live,${{ steps.login-ecr.outputs.registry }}/${{ env.ecr_repository }}:${{ github.sha }} | |
| # The matrix build supports `lambda-groups` defined in the environment-region-map.json file | |
| # This allows us to deploy multiple lambdas to specific env/region combos that use a common docker image | |
| # That is some pretty intense JQ, but it works. | |
| # The current behavior is: If a key that matches the lambda name is found in the lambda-groups object, then | |
| # created separate entries for each region/lambda combo. Otherwise, just use the lambda name and deploy to all | |
| # regions that exist for that environment. | |
| # matrices don't support complex object structures, so we generate a flat array of objects that contain the | |
| # region and lambda name. If there are multiple lambdas, the region will be repeated for each lambda. | |
| - name: Generate output | |
| id: generate-output | |
| run: | | |
| # output to logs | |
| matrix_json=$(jq -c --arg env "${{ inputs.environment }}" '[.[$env][] | {region: .}]' ./.github/workflows/config/environment-region-map.json) | |
| echo "matrix_json=$matrix_json" >> $GITHUB_OUTPUT | |
| echo "docker_image=${{ steps.login-ecr.outputs.registry }}/${{ env.ecr_repository }}:${{ github.sha }}" >> $GITHUB_OUTPUT | |
| deploy_lambdas: | |
| needs: build_lambda | |
| name: Deploy to Amazon ECS | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: ${{ fromJson(needs.build_lambda.outputs.matrix_json) }} | |
| env: | |
| DOCKER_IMAGE: ${{ needs.build_lambda.outputs.docker_image }} | |
| steps: | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ matrix.region }} | |
| # this plugin sets the AWS account ID to a secret which is not allowed in outputs | |
| # we have to disable that so repo output will work | |
| mask-aws-account-id: 'no' | |
| # The search and replace is kinda ugly but works. We need to replace the primary region with the region we're deploying to. | |
| # because lambdas don't support ECR images in different regions. We use cross region replication in ECR to make the image | |
| # that is pushed in the primary region available in all other regions. | |
| - name: Update Lambda and Publish | |
| run: | | |
| DOCKER_IMAGE=$(echo "${{ env.DOCKER_IMAGE }}" | sed -r 's/${{ env.PRIMARY_AWS_REGION }}/${{ matrix.region }}/g') | |
| DOCKER_IMAGE_BASE=$(echo "$DOCKER_IMAGE" | cut -d':' -f1) | |
| LAMBDA_FUNCTIONS=$(aws lambda list-functions --query "Functions[?contains(Description, 'ecr_image:${DOCKER_IMAGE_BASE}')].FunctionName" --output text) | |
| if [ -z "$LAMBDA_FUNCTIONS" ]; then | |
| echo "Warning: No Lambda functions found for image $DOCKER_IMAGE_BASE" | |
| exit 0 | |
| fi | |
| for LAMBDA in $LAMBDA_FUNCTIONS; do | |
| OUTPUT=$(aws lambda update-function-code --function-name $LAMBDA --image-uri "$DOCKER_IMAGE" --publish) | |
| NEW_VERSION=$(echo "$OUTPUT" | jq -r '.Version') | |
| ALIAS_EXISTS=$(aws lambda get-alias --function-name $LAMBDA --name live || echo "not_exists") | |
| if [ "$ALIAS_EXISTS" == "not_exists" ]; then | |
| aws lambda create-alias --function-name $LAMBDA --name live --function-version $NEW_VERSION | |
| else | |
| aws lambda update-alias --function-name $LAMBDA --name live --function-version $NEW_VERSION | |
| fi | |
| done | |
| # reconfigure AWS credentials to use the default region for SSM Parameter Store. | |
| # aws-actions/configure-aws-credentials@v4 overrides env.AWS_DEFAULT_REGION, so | |
| # we name our env var PRIMARY_AWS_REGION to avoid that. | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.PRIMARY_AWS_REGION }} | |
| # Set any env vars needed from Parameter Store here | |
| - name: Set GITHUB_ACTIONS_SLACK_BOT_TOKEN | |
| uses: 'marvinpinto/action-inject-ssm-secrets@latest' | |
| with: | |
| ssm_parameter: 'GITHUB_ACTIONS_SLACK_BOT_TOKEN' | |
| env_variable_name: 'GITHUB_ACTIONS_SLACK_BOT_TOKEN' | |
| - name: Set ASELO_DEPLOYS_CHANNEL_ID | |
| uses: 'marvinpinto/action-inject-ssm-secrets@latest' | |
| with: | |
| ssm_parameter: 'ASELO_DEPLOYS_CHANNEL_ID' | |
| env_variable_name: 'ASELO_DEPLOYS_CHANNEL_ID' | |
| # Send Slack notifying success | |
| - name: Slack Aselo channel | |
| id: slack | |
| uses: slackapi/[email protected] | |
| with: | |
| channel-id: ${{ env.ASELO_DEPLOYS_CHANNEL_ID }} | |
| slack-message: '`[HRM lambdas - ${{ inputs.lambda_path }}]` Deployment of ${{ github.ref_type }} `${{ github.ref_name }}` requested by `${{ github.triggering_actor }}` completed with SHA ${{ github.sha }} to region `${{ matrix.region }}`, environment `${{ inputs.environment }}` :rocket:.' | |
| env: | |
| SLACK_BOT_TOKEN: ${{ env.GITHUB_ACTIONS_SLACK_BOT_TOKEN }} | |
| if: ${{ inputs.send-slack-message != 'false' }} | |
| # Update deployment matrix with region as identifier and lambda path as service repo | |
| - name: Update deployment matrix | |
| id: update-deployment-matrix | |
| uses: techmatters/flex-plugins/.github/actions/deployment-matrix@master | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.PRIMARY_AWS_REGION }} | |
| identifier: ${{ matrix.region }} | |
| environment: ${{ inputs.environment }} | |
| service_repo: ${{ inputs.lambda_path }} | |
| version_tag: ${{ github.ref_name }} |